[Obscurity4340]

Hate to say it but these remaining users were and are fools for not having jumped ship like yesterday. This is not a serious + competent password manager product/company. Hopefully they had backups or they are in for a world of hurt dealing with the worse mess of being stuck in such an absurd loop.

[KnobbleMcKnees]

Hey I'm not a fool! Just time poor and a bit lazy.

Also I use 1Password at work and find it a bit doddery compared to LP, which is no speed daemon itself.

[iLoveOncall]

It took me 30 min to migrate from LastPass to BitWarden, they have a process to import the passwords so it really doesn't require any effort.

https://bitwarden.com/help/import-from-lastpass/

[frizlab]

It does require effort though. Migrating the passwords is a thing in the process, but there is also finding a good alternative first, that integrates well the softwares one uses, getting used to new UI, new shortcuts, new bugs, etc.

All in all, it does take (much) more than 30 minutes.

[degenerate]

I hear you, and generally you are correct, but migrating from LastPass to BitWarden (and setting up the extension to work exactly the way I liked LastPass to work) truly did take 30 minutes. I wasn't expecting 100% feature parity but it's there. What took the longest was discovering CTRL+SHIFT+L is the shortcut to auto-populate username/password in forms. Pressing it again will cycle to the next account in the vault.

[JaggedJax]

I knew about Ctrl+Shift+L but never thought to try using it to rotate through multiple credentials. Thanks for that!

[orheep]

Lastpass user here that probably should migrate. Is that keybinding changable and how is the iOS experience?

[lukevp]

It’s great on iOS! It integrates into the password manager just like LastPass did, so you get the “Passwords” button or the account name. If you have faceID or touchID set up, it’ll auto auth you and autofill the password. Bitwarden is seriously almost a drop in replacement. The biggest difference is the extension settings in browsers don’t autofill by default in the same way as LastPass. Also you can self host bitwarden (what I do).

[5e92cb50239222b]

> that keybinding changable

Any shortcuts used by extensions based on the WebExtensions API are changeable. If you're on Firefox, press Ctrl+Shift+A (or go to about:addons), open the gear menu, and click "Manage Extension Shortcuts".

[trilbyglens]

I tried but warden for a bit and found it to be quite janky. Not good UX over all.

[gchamonlive]

You don't have to achieve all at once. First migrate to a competent service before getting locked out of your secrets. Then you should change all passwords just in case there is a LP dev db leaking somewhere. Then you can investigate what that particular service does for you in terms of workflow and migrate later if you find one that better suits your needs.

[dgrin91]

It took me 30 minutes to do this process as well. Then it took days and weeks to find a bunch of corner cases that Bitwarden missed. At the same time it took me a few weeks to realize that I just don't like Bitwarden's UX. Their mobile app is just bad. Its slower than competitors, common actions take more button clicks, and the UI doesn't look good (it looks like it was built by programmers for programmers). Combining that altogether meant I couldn't move my family onto Bitwarden and my migration was a wasted effort.

[tourmalinetaco]

BitWarden didn’t lose any of my passwords (which is what I assume you meant by “corner cases”), and their UX on Chromium and iOS are about on par with LastPass, so I’m not quite sure the difficulties you may have experienced. And while BitWarden’s iOS app isn’t well optimized, considering its a FOSS solution I am more than happy with that minor trade-off. I also haven’t had any trouble moving others onto it, even the more tech-illiterate people in my life.

It’s certainly not perfect, but I’m not quite sure these issues are consistent enough to be indicative of BitWarden’s quality. I mean if its lost your passwords I would assume that’s something worth making an issue about on their GitHub?

[moogly]

LastPass' CSV export can't handle certain characters so the exported password is wrong. I doubt they've fixed that. It was in the product during the 10-12 years I used LastPass.

[dp-hackernews]

Worse than that, LP notes are multi line which makes importing a bloody nightmare! Especially if you have any CSV characters in the note.

I had to modify the native CSV with some vim magic to add a line delimiter for each record so it allowed for spanning over multiple lines in order to successfully import each entry - which also required the importer to allow for an additional EOR marker.

Even then there wasn't a 1:1 column match between pw apps.

Without this step though all sorts of hell breaks loose, and if you don't notice the columns got out of sync during import because a note had a few commas in it what good is it to you really. It's a hell of a mess that you may not notice until its too late.

There should also be a verify feature for any import that can query the original source via some API calls - or use that to do the import. Of course nobody is going to provide that because it means users can leave their ecosystem too easily - but the other thinking is customized backups to a PGP destination suitable for direct import via the sale API calls.

This was for LP to KeePass BTW.

[suddenclarity]

> BitWarden didn’t lose any of my passwords

Do we know that considering how they handle iframes and how lax they seem about it?

[eviks]

> it really doesn't require any effort.

That's because you don't have or don't know about all those custom fields that don't get exported by LastPass, which turns real migration from 30min to many hours

Also it'd be wise to change passwords during the migration as well given all the hacks, which is another set of hours

[mNovak]

BitWarden has custom fields too, though if LP doesn't export them, then yes that's a pickle. I don't know about attachments, but notes do transfer though they're stored a few clicks deeper in the "vault".

I would argue if password updates are required because of LP's insecurity, that's really not a migration issue, that's just a LP issue.

[bathtub365]

And you shouldn’t change the passwords if you aren’t migrating?

[lazide]

Once you hit 300+ sites, with attachments and custom fields, it starts to be one of those ‘I am going to pretend this will app work out if I ignore it’ things rather than an easy afternoon project.

[iLoveOncall]

I have more than 400 websites in mine, but not a single one has custom fields or attachments and I can't think of a single reason why that would be necessary.

[Tijdreiziger]

Preferably, you change all your passwords too, which is the time-consuming part.

[ncallaway]

Do the migration first, then change rotate passwords over time.

If you're still using LP, and haven't been bitten by this, do it now. Do the migration.

Once the migration is done, start rotating passwords as soon as you can.

[fluidcruft]

Bitwarden import of Lastpass was a pain in the ass when I did it and required hours of cleanup.

[12345hn6789]

I swapped the day LP announced removal of free tiers. It was nearly instaneous.

I have over 300 passwords, multiple cards. Multiple notes. All synced flawlessly.

[fluidcruft]

Glad you had an easy go of it. It messed a lot of things up for me and I had to ultimately cobble together a bunch of scripts that would find the mistakes so I could go in and manually correct each one (with like three extra clicks than necessary for each operation because Bitwarden's UI is trash). I think people who only used really basic LastPass features may not have had those problems. But I had LastPass Family with sharing and folders and it was a massive mess because the LastPass export was buggy and then incomplete. And Bitwarden is not able to iterating on fixing imports so you're stuck manually correcting import errors and duplicates. Not to mention that editing and updating in Bitwarden is a real pain in the ass because bulk operations are missing. I was really shocked at how shitty Bitwarden's database tools are when I actually had to try and use them.

[keybpo]

That happened to me only because I imported the file twice or three times, thinking records would be overwritten when they completely matched. Oh, and because it also imported deleted (but not flush/emptied out) entries, which in hindsight I found it to be a good practise. Aside from that, importing was straightforward and categorizing the many uncategorized entries a breeze compared to LastPass.

[iLoveOncall]

> Hopefully they had backups

We know they do, since they got their backups stolen not even a year ago lol.

[toyg]

Ah but maybe they reacted to that by stopping backup jobs. Wouldn't put it past them, pretty shambolic operation.

[ramraj07]

I continue to use LastPass because I’m lazy and I never trusted any app fully in the first place. All my main account passwords are in my head alone.

[doublerabbit]

Yeah. I don't get this. I've never required a password manager, maybe I'm just good at remembering passwords.

And why would you even trust a cloud based product. If I can't see the hosted source code storing the password then I'm not trusting it regardless.

[ajmurmann]

> I've never required a password manager, maybe I'm just good at remembering passwords.

How is this possible? I must have at least 50 passwords I use with some regularity and many more I use once a year or so. All my passwords are at least 16 characters long and totally random. Are you able to remember that without compromises like repeat passwords or patterns used for generating them (including website name in password or similar)?

[somehnguy]

If you can remember your passwords I have a strong suspicion that you’re using weak passwords and/or re-using them. All my passwords are 12+ (whatever the site max is) random alphanumeric+symbols and don’t get re-used across sites - there is no possible way I could remember them all.

[5e92cb50239222b]

Diceware is easy to remember.

https://www.eff.org/deeplinks/2016/07/new-wordlists-random-p...

https://www.eff.org/dice

This generator uses a different wordlist with about 18000 words.

https://1password.com/password-generator

Using a quick back-of-the-napkin calculation, you get roughly this amount of entropy from 1password's wordlist when compared to random alphanumeric strings [a-zA-Z0-9]:

  - 5 words ≈ 12 chars
  - 6 words ≈ 14 chars
  - 7 words ≈ 17 chars
  - 8 words = 19 chars

If we take 5 words as the minimum you'd want to use on a web service:

  - halvers persia dutiful manes party
  - append medalist society duke disobey
  - acoustic halo assuage upkeep dexter
  - area theist motile align trespass

As a non-native English speaker (which should be obvious from my strained speech), I'd say it's rememberable enough.

[doublerabbit]

9-12 characters upper and lower case with numerical and special characters, pretty much unique.

[kstrauser]

I’m sure we won’t talk you out of this, so I won’t try.

Anyone else reading this: do not just remember your passwords. Unless you’re Lord Nikon, if you can remember more than a handful of passwords, it’s because they’re weak enough to be memorable. Or worse, used in more than one place!

Use a password manager. Always. For everything.

[doublerabbit]

I'm not against a password manager just cloud based ones where you have no sight on the source.

Nor are my passwords weak. Okay; seeing as one of my passwords expired lately.

U0ptz#^7--9

You zero pee tee zee hash up-thinggy 7 dash dash nine

Another:

L0@!tF..9w&

Lel zero at metal-gear-solid-noise tee follow dot dot nine walks and

I find that stuff very easy to remember. I just make a fantasy story based on the password.

L9d£5"s

Little 9 ducks cost 5 said sir.

HNr!##@t

Hacker News really can suck balls at times.

[shepherdjerred]

My 1Password has 1000 passwords/license keys/ssh keys/api keys stored for me, along with the associated username + 2fa code. There's no way I'm going to be able to remember more than a handful of those.

> And why would you even trust a cloud based product.

1Password's security model sounds pretty reasonable to me. The convenience of having my Passwords backup and synced to my devices is worth the tradeoff in security in my case.

[suddenclarity]

> maybe I'm just good at remembering passwords

I've got close to 1500 stored passwords. How does one even start to remember those?

[doublerabbit]

Your telling me you use all 1500 passwords? How many of them are obsolete?